Everthing seems to be working

This commit is contained in:
Aeris 2019-11-15 14:36:12 +01:00
parent 8453583818
commit 7eeb0b423b
7 changed files with 159 additions and 1 deletions

2
.gitignore vendored
View file

@ -1 +1 @@
*.conf
conf/*.txt

24
Dockerfile Normal file
View file

@ -0,0 +1,24 @@
# OpenVPN client + SOCKS proxy
# Usage:
# Create configuration (.ovpn), mount it in a volume
# docker run --volume=something.ovpn:/ovpn.conf:ro --device=/dev/net/tun --cap-add=NET_ADMIN
# Connect to (container):1080
# Note that the config must have embedded certs
# See `start` in same repo for more ideas
FROM alpine
COPY sockd.sh /usr/local/bin/
RUN true \
&& echo "http://dl-4.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories \
&& apk add --update-cache dante-server openvpn bash openresolv openrc \
&& rm -rf /var/cache/apk/* \
&& chmod a+x /usr/local/bin/sockd.sh \
&& true
ENTRYPOINT [ \
"/bin/bash", "-c", \
"cd /etc/openvpn && /usr/sbin/openvpn --config *.conf --script-security 2 --up /usr/local/bin/sockd.sh" \
]

45
LICENSE Normal file
View file

@ -0,0 +1,45 @@
The MIT License (MIT)
Copyright (c) 2016 Chris Yuen
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
===
The MIT License (MIT)
Copyright (c) 2016 Mook
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

47
README.md Normal file
View file

@ -0,0 +1,47 @@
# OpenVPN-client
This is a docker image of an OpenVPN client tied to a SOCKS proxy server. It is
useful to isolate network changes (so the host is not affected by the modified
routing).
This supports directory style (where the certificates are not bundled together in one `.ovpn` file) and those that contains `update-resolv-conf`
(For the same thing in WireGuard, see [kizzx2/docker-wireguard-socks-proxy](https://github.com/kizzx2/docker-wireguard-socks-proxy))
## Why?
This is arguably the easiest way to achieve "app based" routing. For example, you may only want certain applications to go through your WireGuard tunnel while the rest of your system should go through the default gateway. You can also achieve "domain name based" routing by using a [PAC file](https://developer.mozilla.org/en-US/docs/Web/HTTP/Proxy_servers_and_tunneling/Proxy_Auto-Configuration_(PAC)_file) that most browsers support.
## Configuration
In the sockd.sh file you will find the ip command setting routes to some subnet via a hosts ip address. This is seemingly the only way the routing tables inside the container can reach the given subnets.
## Usage
Preferably, using `start` in this repository:
```bash
start /your/openvpn/directory
```
`/your/openvpn/directory` should contain *one* OpenVPN `.conf` file. It can reference other certificate files or key files in the same directory.
Alternatively, using `docker run` directly:
```bash
docker run -it --rm --device=/dev/net/tun --cap-add=NET_ADMIN \
--name openvpn-client \
--volume /your/openvpn/directory/:/etc/openvpn/:ro -p 1080:1080 \
kizzx2/openvpn-client-socks
```
Then connect to SOCKS proxy through through `localhost:1080` / `local.docker:1080`. For example:
```bash
curl --proxy socks5h://local.docker:1080 ipinfo.io
```
## HTTP Proxy
You can easily convert this to an HTTP proxy using [http-proxy-to-socks](https://github.com/oyyd/http-proxy-to-socks), e.g.
hpts -s 127.0.0.1:1080 -p 8080

19
docker-compose.yml Executable file
View file

@ -0,0 +1,19 @@
version: "2.3"
services:
openvpn_socks:
build: ./
container_name: "openvpn_us"
ports:
- "192.168.5.27:1081:1080"
cap_add:
- NET_ADMIN
devices:
- "/dev/net/tun"
#restart: always
volumes:
- "./conf:/etc/openvpn:ro"
- "./sockd.conf:/etc/sockd.conf"
- "./resolv.conf:/etc/resolv.conf"
- "./sockd.sh:/usr/local/bin/sockd.sh"
#sysctls:
# - "net.ipv6.conf.all.disable_ipv6=0"

10
sockd.sh Executable file
View file

@ -0,0 +1,10 @@
#!/bin/bash
ip route add 192.168.5.27/32 dev eth0
ip route add 192.168.0.0/16 via 192.168.5.27 dev eth0
set -e
[ -f /etc/openvpn/up.sh ] && /etc/openvpn/up.sh "$@"
if [ -z "`ps | grep ' sockd ' | grep -v grep`" ]; then
/usr/sbin/sockd -D;
else
echo SOCKD already running!;
fi

13
start Executable file
View file

@ -0,0 +1,13 @@
#!/bin/sh
exec docker run \
--rm \
--tty \
--interactive \
--device=/dev/net/tun \
--name=openvpn-client \
--cap-add=NET_ADMIN \
--publish 127.0.0.1:1080:1080 \
--volume "$(realpath "$1"):/etc/openvpn/:ro" \
--sysctl net.ipv6.conf.all.disable_ipv6=0 \
kizzx2/openvpn-client-socks